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FOREWARD 


This  report  is  intended  for  the  use  of  Defense  Finance  and  Accounting  Service  (DFAS) 
and  Defense  Information  Systems  Agency  (DISA)  management,  its  user  organizations, 
and  the  independent  auditors  of  its  user  organizations.  DoD  personnel  who  manage  and 
use  the  Defense  Civilian  Pay  System  (DCPS)  will  also  find  this  report  of  interest  as  it 
contains  infonnation  about  DCPS  general  and  application  controls. 

DCPS  is  a  pay  processing  system  used  to  pay  DoD  civilian  employees,  as  well  as 
employees  at  several  other  Federal  entities,  including  the  Departments  of  Energy  and 
Health  and  Human  Services,  and  the  Executive  Office  of  the  President.  In  2004,  DCPS 
processed  approximately  $42.3  billion  of  pay  transactions  and  paid  approximately 
762,000  employees  on  a  bi-weekly  basis. 

The  DoD  Office  of  Inspector  General  (DoD  OIG)  is  implementing  a  long-range  strategy 
to  conduct  audits  of  DoD  financial  statements.  The  Chief  Financial  Officers  Act  of  1990 
(P.L.  101-576),  as  amended,  mandates  that  agencies  prepare  and  conduct  audits  of 
financial  statements.  The  reliability  of  information  in  DCPS  directly  impacts  the  Defense 
Department’s  ability  to  provide  reliable,  and  ultimately  auditable,  financial  statements; 
which  is  key  to  achieving  the  goals  of  the  Chief  Financial  Officers  Act. 

This  audit  assessed  the  application  and  general  computer  controls  over  DCPS  and  its 
related  processing.  Those  application  and  general  computer  controls  are  managed  and 
maintained  by  DFAS  and  DISA.  This  report  provides  an  opinion  on  the  fairness  of 
presentation,  the  adequacy  of  design,  and  the  operating  effectiveness  of  key  application 
and  general  computer  controls  that  are  relevant  to  audits  of  user  organization  financial 
statements.  As  a  result,  this  audit  precludes  the  need  for  multiple  audits  of  DCPS 
controls  previously  performed  by  user  organizations  to  plan  or  conduct  financial 
statement  and  performance  audits.  This  audit  will  also  provide,  in  a  separate  audit  report, 
recommendations  to  management  for  correction  of  identified  control  deficiencies. 
Effective  internal  control  is  critical  to  achieving  reliable  information  for  all  management 
reporting  and  decision  making  purposes. 

Certain  DCPS  general  computer  controls  are  maintained  by  DISA-Mechanicsburg. 
DISA-Mechanicsburg  was  included  in  the  scope  of  a  separate  DISA-wide  general 
computer  controls  audit  that  provided  a  Service  Auditor’s  Report,  Report  No. 
D-2005-105,  “Report  on  Defense  Information  Systems  Agency,  Center  for  Computing 
Services  Controls  Placed  in  Operation  and  Tests  of  Operating  Effectiveness  for  the 
Period  October  1,  2004  through  April  30,  2005,”  September  6,  2005.  This  DISA-wide 
audit  included  certain  general  computer  controls  that  were  directly  related  to  DCPS.  In 
order  to  reduce  duplication  of  effort  and  minimize  the  audit  footprint  on  DISA,  the 
DCPS-related  general  computer  controls  maintained  by  DISA-Mechanicsburg  and 
covered  by  the  DISA-wide  audit  were  excluded  from  the  scope  of  this  SAS  70  audit.  The 
control  objectives  that  were  not  covered  for  DISA-Mechanicsburg  as  part  of  this  audit 
included: 

•  Control  Objective  1 :  Risks  are  periodically  assessed. 

•  Control  Objective  3:  A  security  management  structure  has  been  established 
and  that  Information  security  responsibilities  are  clearly  assigned  and 
expected  behavior  of  all  personnel  is  in  place. 
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•  Control  Objective  20:  Passwords,  tokens,  or  other  devices  are  used  to  identify 
and  authenticate  users. 

•  Control  Objective  46:  Individuals  requiring  access  to  sensitive  information  are 
processed  for  access  authorization  in  accordance  with  DoD  personnel  security 
policies. 

•  Control  Objective  58:  Access  authorizations  are  appropriately  limited. 

•  Control  Objective  62:  Incompatible  duties  have  been  identified  and  policies 
implemented  to  segregate  these  duties. 

•  Control  Objective  63:  System  management  job  descriptions  have  been 
documented. 

•  Control  Objective  64:  System  management  employees  understand  their  duties 
and  responsibilities. 

•  Control  Objective  65:  Management  reviews  effectiveness  of  control 
techniques. 

•  Control  Objective  66:  Formal  procedures  guide  system  management  personnel 
in  performing  their  duties. 

•  Control  Objective  68:  Active  supervision  and  review  are  provided  for  all 
system  management  personnel. 

Certain  control  objectives  listed  above  were  still  relevant  to  other  locations  included  in 
the  scope  of  this  DCPS  audit  (for  example,  the  Technology  Services  Organization  [TSO]) 
and  are  included  in  this  report  for  those  locations.  In  certain  situations  where  the  above 
control  objective  would  only  apply  to  DISA-Mechanicsburg  and  was  not  tested,  we 
inserted  “Control  objective  left  intentionally  blank”  in  order  to  preserve  our  control 
objective  numbering  scheme.  User  organizations  and  their  auditors  who  use  this  report  as 
part  of  their  audit  planning  procedures  should  also  read  the  Report  No.  D-2005-105, 
“Report  on  Defense  Infonnation  Systems  Agency,  Center  for  Computing  Services 
Controls  Placed  in  Operation  and  Tests  of  Operating  Effectiveness  for  the  Period 
October  1,  2004  through  April  30,  2005,”  September  6,  2005  to  understand  the  design 
and  operating  effectiveness  of  the  general  computer  controls  maintained  by 
DISA-Mechanicsburg . 


Section  I:  Independent  Service  Auditor’s  Report 
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INSPECTOR  GENERAL 

DEPARTMENT  OF  DEFENSE 
400  ARMY  NAVY  DRIVE 
ARLINGTON,  VIRGINIA  22202-4704 


September  15,  2005 


MEMORANDUM  FOR  UNDER  SECRETARY  OF  DEFENSE 

(COMPTROLLER)/CH  I EF  FINANCIAL  OFFER 
ASSISTANT  SECRETARY  OF  DEFENSE  (NETWORKS 
AND  INFORMATION  INTEGRATION)/DOD  CHIEF 
INFORMATION  OFFICER 

DIRECTOR,  DEFENSE  FINANCE  AND  ACCOUNTING 
SERVICE 

DIRECTOR,  DEFENSE  INFORMATION  SYSTEMS 
AGENCY 

SUBJECT :  Report  on  the  Defense  Civilian  Pay  System  Controls  Placed  in  Operation  and 
Tests  of  Operating  Effectiveness  for  the  Period  October  1,  2004  through 
June  30,  2005 


We  have  examined  the  accompanying  description  of  the  general  computer  and 
application  controls  related  to  the  Defense  Civilian  Pay  System  (DCPS)  (Section  II). 
DCPS  is  sponsored  and  used  by  the  Defense  Finance  and  Accounting  Service  (DFAS) 
and  maintained  and  technically  supported  by  the  Defense  Information  Systems  Agency 
(DISA)  and  technical  support  elements  of  DFAS.  As  such,  the  DCPS  general  computer 
and  application  controls  are  managed  by  both  DISA  and  DFAS.  Our  examination 
included  procedures  to  obtain  reasonable  assurance  about  whether  (1)  the  accompanying 
description  presents  fairly,  in  all  material  respects,  the  aspects  of  the  controls  at  DFAS 
and  DISA  that  may  be  relevant  to  a  DCPS  user  organization’s  internal  controls  as  it 
relates  to  an  audit  of  financial  statements;  (2)  the  controls  included  in  the  description 
were  suitably  designed  to  achieve  the  control  objectives  specified  in  the  description,  if 
those  controls  were  complied  with  satisfactorily,  and  user  organizations  applied  those 
aspects  of  internal  controls  contemplated  in  the  design  of  the  controls  at  DFAS  and 
DISA;  and  (3)  such  controls  had  been  placed  in  operation  as  of  June  30,  2005. 

The  control  objectives  were  specified  by  the  Department  of  Defense  Office  of  Inspector 
General  (DoD  OIG).  Our  examination  was  performed  in  accordance  with  standards 
established  by  the  American  Institute  of  Certified  Public  Accountants  and  the  standards 
applicable  to  financial  audits  contained  in  Government  Auditing  Standards  issued  by  the 
Comptroller  General  of  the  United  States,  and  included  those  procedures  we  considered 
necessary  in  the  circumstances  to  obtain  a  reasonable  basis  for  rendering  our  opinion. 

The  accompanying  description  includes  only  those  application  control  objectives  and 
related  controls  resident  at  the  Charleston,  SC;  Pensacola,  FL;  and  Denver,  CO  payroll 
offices  and  does  not  include  application  control  objectives  and  related  controls  at  the 
National  Security  Agency  (NSA)  payroll  office.  In  addition,  DCPS  processes 
approximately  140  interface  files  from  DoD  and  external  systems.  Examples  of  these 
interface  systems  include  the  Defense  Civilian  Personnel  Data  System,  Automated  Time 
and  Attendance  and  Production  System,  Automated  Disbursing  System,  and  the  Defense 
Joint  Accounting  System.  The  accompanying  description  does  not  include  control 


objectives  and  general  and  application  controls  related  to  the  systems  that  interface  with 
DCPS.  Our  examination  did  not  extend  to  the  controls  resident  at  the  National  Security 
Agency  payroll  office  and  related  systems  that  interface  with  DCPS. 

Our  examination  was  conducted  for  the  purpose  of  forming  an  opinion  on  the  description 
of  the  DCPS  general  and  application  controls  at  DFAS  and  DISA  (Section  II). 

Information  about  business  continuity  plans  and  procedures  at  DFAS  and  DISA,  as 
provided  by  those  organizations  and  included  in  Section  IV,  is  presented  to  provide 
additional  information  to  user  organizations  and  is  not  a  part  of  the  description  of  controls 
at  DFAS  and  DISA.  The  information  in  Section  IV  has  not  been  subjected  to  the 
procedures  applied  in  the  examination  of  the  aforementioned  description  of  the  controls 
at  DFAS  and  DISA  related  to  their  business  continuity  plans  and  procedures  and, 
accordingly,  we  express  no  opinion  on  the  description  of  the  business  continuity  plans 
and  procedures  provided  by  DFAS  and  DISA. 

As  discussed  in  the  accompanying  “Description  of  DCPS  Operations  and  Controls 
Provided  by  DFAS  and  DISA”  (Section  II),  DISA-Mechanicsburg  has  processes  in  place 
for  testing  and  implementing  system  software  changes.  System  software  change  testing 
results  were  not  required  to  be  documented  and  maintained.  In  addition,  the  charter  for 
the  local  Configuration  Control  Board  at  DISA-Mechanicsburg  was  not  approved.  As  a 
result,  the  design  of  the  controls  did  not  provide  reasonable  assurance  that  the  control 
objective  “ system  software  changes  are  authorized,  tested,  and  approved  and 
documented  before  implementation  ”  would  be  achieved. 

In  our  opinion,  the  accompanying  description  of  the  general  computer  and  application 
controls  at  DFAS  and  DISA  related  to  DCPS  (Section  II)  presents  fairly,  in  all  material 
respects,  the  relevant  aspects  of  the  controls  at  DFAS  and  DISA  that  had  been  placed  in 
operation  as  of  June  30,  2005.  Also,  in  our  opinion,  the  controls,  except  for  the  design 
deficiency  referred  to  in  the  preceding  paragraph,  as  described,  are  suitably  designed  to 
provide  reasonable  assurance  that  the  specified  control  objectives  would  be  achieved  if 
the  described  controls  were  complied  with  satisfactorily  and  users  applied  those  aspects 
of  internal  control  contemplated  in  the  design  of  the  controls  at  DFAS  and  DISA. 

In  addition  to  the  procedures  that  we  considered  necessary  to  render  our  opinion  as 
expressed  in  the  previous  paragraph,  we  applied  tests  to  specified  controls,  listed  in 
Section  III,  to  obtain  evidence  about  their  effectiveness  in  meeting  the  related  control 
objectives  described  in  Section  III  during  the  period  of  October  1,  2004  through  June  30, 
2005.  The  specific  control  objectives,  controls,  and  the  nature,  timing,  extent,  and  results 
of  the  tests  are  documented  in  Section  III.  This  infonnation  has  been  provided  to  DCPS 
user  organizations  and  to  their  auditors  to  be  taken  into  consideration,  along  with 
information  about  the  user  organizations’  internal  control  environments,  when  making 
assessments  of  control  risk  for  such  user  organizations. 

In  performing  our  examination,  we  identified  the  following  operating  effectiveness 
deficiencies  related  to  the  controls  described  in  the  “Description  of  DCPS  Operations  and 
Controls  Provided  by  DFAS  and  DISA”  (Section  II): 

DCPS  User  Access 


The  accompanying  description  includes  control  activities  relating  to  DFAS 
processes  for  providing  access  to  DCPS.  For  every  DCPS  user,  DFAS  required  a 
Systems  Access  Authorization  Request  (SAAR)  form  be  completed,  indicating 
the  user’s  access  to  DCPS  and  the  authorization  by  an  appropriate  supervisor 
granting  such  access.  Upon  examining  a  selection  of  45  randomly  selected  SAAR 


4 


forms  for  payroll  office  users’  access  to  DCPS,  we  identified  seven  SAAR  forms 
where  the  access  granted  in  DCPS  did  not  match  the  access  authorized  on  the 
SAAR  form.  In  addition,  one  of  45  payroll  office  user’s  SAAR  forms  selected  for 
testing  did  not  contain  a  supervisor’s  signature.  Upon  examining  a  selection  of 
45  randomly  selected  SAAR  forms  for  non-payroll  office  users’  access  to  DCPS, 
we  identified  four  SAAR  forms  where  the  access  granted  in  DCPS  did  not  match 
the  access  authorized  on  the  SAAR  form.  In  addition,  four  of  the  45  non-payroll 
office  users’  SAAR  forms  could  not  be  located.  As  a  result,  the  following  control 
objectives  that  rely  on  this  control  may  not  have  been  fully  achieved  during  the 
period  of  October  1,  2004  through  June  30,  2005: 

“ Controls  provide  reasonable  assurance  that  all  application  users  are 
appropriately  identified  and  authenticated.  Access  to  the  application  and 
output  is  restricted  to  authorized  users  for  authorized  purposes,  ” 

“Controls  provide  reasonable  assurance  that  changes  to  the  payroll 
master  files  and  withholding  tables  are  authorized,  input,  and  processed 
timely,  ”  and 

“Controls  provide  reasonable  assurance  that  data  transmissions  in  DCPS 
from  user  organizations  are  authorized,  complete,  accurate  and  secure.  ” 

DCPS  Processins  Error  Monitorins 

The  accompanying  description  includes  control  activities  relating  to  DFAS 
procedures  for  processing  errors  from  interfacing  personnel  systems.  The 
Personnel  Interface  Invalid  Report  (P6606R01)  is  a  key  control  for  monitoring 
and  resolving  DCPS  interface  processing  errors.  At  the  DFAS-Denver  payroll 
office,  the  Personnel  Interface  Invalid  Reports  could  not  be  provided  for  the 
period  October  1,  2004  through  March  27,  2005,  which  represented  18  of  the 
45  reports  randomly  selected  for  testing.  Furthermore,  one  of  the  27  Personnel 
Interface  Invalid  Reports  for  the  period  March  28,  2005  to  June  30,  2005  could 
not  be  located  (leaving  26  reports  available  for  review).  The  available  Personnel 
Interface  Invalid  Reports  subsequent  to  March  27,  2005  were  examined  to 
determine  if  the  reports  were  annotated,  indicating  the  report  exceptions  were 
resolved.  We  identified  that  annotations  on  23  of  the  26  available  Personnel 
Interface  Invalid  Reports  for  the  period  of  March  28,  2005  to  June  30,  2005  did 
not  include  the  corrective  actions  taken,  18  out  of  the  26  Personnel  Interface 
Invalid  Reports  provided  were  not  dated  as  completed,  and  12  of  the  26  Personnel 
Interface  Invalid  Reports  were  not  initialed  as  completed.  At  the 
DFAS-Charleston  payroll  office,  because  of  the  inability  of  the  document 
management  system  that  stores  electronic  copies  of  the  Personnel  Interface 
Invalid  Report  to  allow  annotation  of  the  Personnel  Interface  Invalid  Reports,  and 
only  a  random  review  of  the  reports  by  management  (instead  of  a  review  of  all 
reports),  the  audit  team  concluded  that  the  controls  are  not  in  place  to  ensure  that 
the  Personnel  Interface  Invalid  Reports  are  properly  corrected,  annotated,  and 
reviewed  by  supervisors.  Therefore,  testing  of  the  reports  at  the 
DFAS-Charleston  Payroll  Office  was  not  performed.  At  the  DFAS-Pensacola 
payroll  office,  10  of  the  44  Personnel  Interface  Invalid  Reports  selected  for  testing 
were  not  available  for  review.  The  remaining  34  reports  that  were  reviewed  did 
not  always  have  the  final  resolution  of  errors  annotated  in  the  report.  Without 
documented  evidence  of  supervisory  reviews  and  actions  taken  to  address  items 
on  this  report,  there  is  a  lack  of  a  documented  audit  trail  related  to  the  use  of  this 
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report  as  a  control.  As  a  result,  the  following  control  objectives  that  rely  on  this 
control  may  not  have  been  fully  achieved  during  the  period  of  October  1 ,  2004 
through  June  30,  2005: 

“Controls  provide  reasonable  assurance  that  changes  to  the  payroll 
master  files  and  withholding  tables  are  authorized,  input,  and  processed 
timely,  ” 

“Controls  provide  reasonable  assurance  of  the  integrity  and  reliability  of 
DCPS  data  for  financial  reporting  purposes,  ” 

“Controls  provide  reasonable  assurance  that  fiscal  year-end,  leave-year- 
end  and  calendar  year-end  processing  occurs  in  accordance  with 
established  Government-wide  and  agency  guidelines,  ”  and 

“Controls  are  reasonable  to  ensure  that  transactions  from  interfacing 
systems  are  subjected  to  the  payroll  system  edits,  validations  and  error- 
correction  procedures.  ” 

DCPS  Interfaces 


All  DCPS  interfaces  should  have  a  documented  Memorandum  of  Agreement. 

The  Memorandum  of  Agreement  documents  key  information  about  an  interface, 
such  as  impacted  parties,  interconnection  requirements,  points  of  contact,  security 
requirements,  technical  platfonn  infonnation,  interface  file  information,  and 
designated  signatories.  However,  43  out  of  148  DCPS  interfaces  did  not  have  a 
documented  Memorandum  of  Agreement  in  place.  As  a  result,  the  control 
objective  “owners  determine  disposition  and  sharing  of  data  ”  may  not  have  been 
fully  achieved  during  the  period  of  October  1,  2004  through  June  30,  2005. 

DCPS  System  Access 

For  every  DCPS  system  support  user  at  DISA-Mechanicsburg,  DISA  required  a 
system  access  request  form  (Form  DD  2875)  to  be  completed,  including  the 
access  the  user  required  within  DCPS  and  the  appropriate  supervisor’s 
authorization  granting  such  access.  For  four  out  of  45  DISA-Mechanicsburg 
personnel  haphazardly  selected  for  testing,  justification  for  access  was  not 
detailed  on  the  system  access  request  form.  As  a  result,  the  control  objective 
“access  settings  have  been  implemented  in  accordance  with  the  access 
authorizations  established  by  the  resource  owners  ”  may  not  have  been  fully 
achieved  during  the  period  of  October  1,  2004  through  June  30,  2005. 

DCPS  Application  Change  Controls 

Testing  of  DCPS  application  changes  are  required  to  be  documented.  Testing 
documentation  for  47  of  50  sampled  items  selected  for  testing  could  not  be 
provided  by  DFAS  during  the  audit.  As  a  result,  the  control  objective  “changes 
are  controlled  as  programs  progress  through  testing  to  final  approval  to  ensure 
completeness,  authorization,  software  quality  requirements  and  validation 
methods  that  are  focused  on  the  minimization  of  flawed  or  malformed  software 
that  can  negatively  impact  integrity  or  availability  (e.g.,  buffer  overruns)  are 
specified  for  all  software  development  initiatives  ”  may  not  have  been  fully 
achieved  during  the  period  of  October  1,  2004  through  June  30,  2005. 
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In  our  opinion,  except  for  the  deficiencies  in  operating  effectiveness  noted  in  the 
preceding  paragraphs,  the  controls  that  were  tested,  as  described  in  Section  III,  were 
operating  with  sufficient  effectiveness  to  provide  reasonable,  but  not  absolute,  assurance 
that  the  control  objectives  specified  in  Section  III  were  achieved  during  the  period  of 
October  1,  2004  through  June  30,  2005.  However,  the  scope  of  our  engagement  did  not 
include  tests  to  determine  whether  control  objectives  not  listed  in  Section  III  were 
achieved;  accordingly,  we  express  no  opinion  on  the  achievement  of  control  objectives 
not  included  in  Section  III. 


The  relative  effectiveness  and  significance  of  specific  controls  at  DFAS  and  DISA,  and 
their  effect  on  assessments  of  control  risk  at  user  organizations,  are  dependent  on  their 
interaction  with  the  internal  control  environment  and  other  factors  present  at  individual 
user  organizations.  We  have  performed  no  procedures  to  evaluate  the  effectiveness  of 
internal  controls  placed  in  operation  at  individual  user  organizations. 

The  description  of  the  controls  at  DFAS  and  DISA  is  as  of  June  30,  2005,  and 
information  about  tests  of  their  operating  effectiveness  covers  the  period  of  October  1, 
2004  through  June  30,  2005,  Any  projection  of  such  information  to  the  future  is  subject 
to  the  risk  that,  because  of  change,  the  description  may  no  longer  portray  the  system  in 
existence.  The  potential  effectiveness  of  specific  controls  at  DFAS  and  DISA  is  subject 
to  inherent  limitations  and,  accordingly,  errors  or  fraud  may  occur  and  not  be  detected. 
Furthermore,  the  projection  of  any  conclusions,  based  on  our  findings,  to  future  periods  is 
subject  to  the  risk  that:  (I)  changes  made  to  the  system  or  controls,  (2)  changes  in 
processing  requirements,  or  (3)  changes  required  because  of  the  passage  of  time  may  alter 
the  validity  of  such  conclusions. 

This  report  is  intended  solely  for  use  by  DCPS  management,  its  user  organizations,  and 
the  independent  auditors  of  such  user  organizations. 

By  direction  of  the  Deputy  Inspector  General  for  Auditing: 


Assistant  Inspector  General 
Defense  Financial  Auditing 
Service 


Section  II:  Description  of  DCPS  Operations  and  Controls 
Provided  by  DFAS  and  DISA 
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II.  Description  of  DCPS  Operations  and  Controls  Provided  by 
DFAS  and  DISA 

A.  Overview  of  DCPS 


Purpose  of  DCPS 

In  1991,  the  DoD  selected  DCPS  to  serve  as  its  standard  payroll  system  for  use  by  all 
DoD  activities  paying  civilian  employees,  except  Local  Nationals  and  those  funded  by 
Non-appropriated  Funds  and  Civilian  Mariners.  Before  becoming  the  DoD-wide  civilian 
pay  system,  DCPS  was  the  Navy  civilian  pay  system,  which  had  been  in  operation  since 
1988.  From  a  life  cycle  perspective,  DCPS  is  in  the  maintenance  phase,  with  changes 
mainly  being  driven  by  legislative  and  functional  enhancements.  The  DCPS  program 
mission  is  to  process  payroll  for  DoD  civilian  employees  in  accordance  with  existing 
regulatory,  statutory,  and  financial  information  requirements  relating  to  civilian  pay 
entitlements  and  applicable  policies  and  procedures.  The  DoD  civilian  pay  program  must 
satisfy  the  complex  and  extensive  functional,  technical,  and  interface  requirements 
associated  with  the  DoD  civilian  pay  function.  The  functional  areas  include:  employee 
data  maintenance;  time  and  attendance;  leave;  pay  processing;  deductions;  retirement 
processing;  debt  collection;  special  actions;  disbursing  and  collection;  reports  processing 
and  reconciliation;  and  record  maintenance  and  retention.  DCPS  provides  standard 
interface  support  to  various  accounting,  financial  management,  and  personnel  systems. 

DCPS  began  paying  the  Executive  Office  of  the  President  (EOP)  in  1998.  As  part  of  the 
President’s  Management  Agenda  e-Payroll  initiative,  DFAS  was  selected  as  one  of  four 
federal  payroll  providers  to  service  the  entire  executive  branch  of  the  Federal 
government.  DFAS  began  processing  payroll  for  the  Department  of  Energy  (DOE)  in 
2003  and  the  Department  of  Health  and  Human  Services  (HHS)  in  2005.  DCPS  currently 
processes  pay  for  approximately  762,000  employees. 

DCPS  is  used  primarily  by  approximately  350  payroll  processing  personnel  at  three 
DFAS  payroll  offices  located  in  Pensacola,  FL;  Charleston,  SC,  and  Denver,  CO.  DCPS 
is  also  used  by  NSA1.  Additional  users  are  the  Customer  Service  Representatives  (CSRs) 
at  customer  activities  and  sites.  Payroll  for  DoD  civilians  is  processed  by  all  three  DFAS 
payroll  offices.  The  EOP  payroll  is  processed  by  the  Pensacola  payroll  office  and  the 
DOE  and  HHS  payrolls  are  processed  by  the  Charleston  payroll  office. 

DCPS  Support  Functions 

The  DFAS  Military  and  Civilian  Pay  Services  (M&CPS)  Business  Line  (under  the 
cognizance  of  the  DFAS  Director)  provides  high-level  management  control  and 
coordination  within  DoD  and  for  external  customers.  The  Civilian  Pay  Services  Product 
Line  (within  the  M&CPS)  has  overall  daily  responsibility  for  application,  operation, 
interpretation  and  implementation  of  DCPS,  as  well  as  responsibility  for  coordinating 
with  external  users  and  new  customers.  These  responsibilities  include  requirements 
management,  functional  analysis,  information  assurance,  and  user  documentation 
processes.  The  system  is  maintained  and  executed  on  the  DISA  mainframe  platform  at 


'The  NSA  payroll  office  is  not  included  in  the  scope  of  this  “Description  of  DCPS  Operations  and  Controls 
Provided  by  DFAS  and  DISA”. 
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the  Defense  Enterprise  Computing  Center,  Mechanicsburg,  Pennsylvania  (DECC 
MECH)2.  The  Technology  Services  Engineering  Organization  in  Pensacola  (TSOPE) 
provides  DCPS  software  engineering  and  operations  support.  Within  TSOPE,  several 
groups  provide  DCPS  support.  The  Software  Engineering  Division  provides  technical 
design,  programming,  unit  testing,  and  system  documentation.  Integration  testing  and 
evaluation  processes  are  perfonned  within  the  Software  Test  and  Evaluation  Division. 
Project  Support  provides  system  software,  telecommunication,  computer  resource  tools, 
and  database  support.  DCPS  Software  Quality  Assurance  monitors  the  software 
engineering  process  and  provides  recommendations  for  improvement.  The  Systems 
Management  Directorate  provides  configuration  management,  release  management, 
implementation  status,  and  customer  support. 

DCPS  Systems  Architecture 

DCPS  has  a  two-tiered  architecture  comprised  of  the  following: 

•  Mainframe  hardware  and  software  components  -  used  as  a  repository  for  the 
collection  and  accumulation  of  data,  and  to  provide  centralized,  biweekly 
processing  of  civilian  pay  and  its  attendant  functions  (e.g.,  electronic  funds 
transfer,  generation  of  leave,  and  earnings  statements). 

•  Remote  user/print  spooler  hardware  and  software  -  used  to  collect  and/or  pre- 
process  data  at  customer  sites,  provide  connectivity  to  DCPS  mainframe 
components,  and  support  printing  of  mainframe  generated  outputs  (e.g., 
reports,  timesheets)  at  customer  locations.  These  components  are  largely 
customer-owned  and  operated,  and  include  local  area  networks  (LANs), 
personal  computers,  and  a  diverse  assortment  of  printers  and  software  that 
operates  and  connects  them.  A  limited  number  of  mid-tier  (minicomputer) 
systems  have  been  maintained  by  DFAS  at  selected  DFAS  sites  to  handle 
specialized  printing  requirements  (e.g.,  paychecks).  Other  offloaded  print 
services,  such  as  bulk  printing  for  DCPS  payroll  offices  and  printing  of  Leave 
and  Earnings  Statements,  are  perfonned  on  PC/workstation  hardware 
maintained  by  the  Defense  Automated  Printing  Service  (DAPS)  at  sites 
located  in  various  U.S.  and  overseas  geographical  regions. 

The  two  tiers  of  the  DCPS  architecture  are  connected  via  DoD-maintained  networks 
comprised  of  Internet  Protocol  (IP)-based  (e.g.,  Non-Classified  Internet  Protocol  Router 
Network  (NIPRNET))  and  Systems  Network  Architecture  (SNA)-based  (leased  line) 
services.  These  networks  connect  DCPS  to  a  wide  variety  of  external,  non-DCPS  sites 
(mainframes,  mid-tiers,  and  PCs)  that  supply  or  exchange  data  with  DCPS  on  a  regular 
basis,  mainly  through  electronic  file  transfers.  Examples  of  external  interface  sites 
include  the  Defense  Civilian  Personnel  Data  System,  Federal  Reserve  Board,  Thrift 
Savings  Plan,  Department  of  Treasury,  and  non-DoD  users  such  as  DOE,  HHS  and  EOP. 


2According  to  DISA,  Mechanicsburg  is  currently  a  DECC  until  September  2,  2005.  Effective  September  3, 
2005,  all  DECCs  are  being  converted  to  Systems  Management  Centers. 
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The  main  technical  components  of  DCPS  include  the  following  attributes: 

•  DCPS  is  housed  in  a  separate  logical  domain  on  an  IBM  Z900  mainframe 
computer  located  at  DECC  MECH; 

•  The  IBM  mainframe  operating  system  software  is  Z/OS  release  1.4; 

•  DCPS  is  written  in  COBOL  II  language; 

•  First  point  of  entry  security  protection  mechanisms  are  provided  by  Access 
Control  Facility  2  (ACF2); 

•  DECC  MECH  provides  four  web  servers  that  service  all  applications  that 
support  DCPS.  These  servers  accept  the  users’  secure  web  requests  by 
supplying  a  menu  screen  with  options  for  each  application  to  the  DCPS 
LOGON  SCREEN,  where  individuals  enter  their  ACF2  login  user  IDs  and 
passwords;  and 

•  Third-party  software  packages  are  used  for  DCPS  process  scheduling  and 
monitoring. 

The  payroll  offices  and  associated  CSRs  have  access  to  DCPS  via  dedicated  leased  lines, 
various  DoD  networks,  and  through  Secure  Web  Access.  Secure  Web  Access  enables 
secure  transaction  processing  across  the  NIPRNET.  IBM’s  Host  On  Demand  was  used  to 
establish  the  Secure  Web  Access  infrastructure.  DCPS  users  interact  directly  with  the 
DCPS  application  through  “3270”  emulation  using  Personal  Computer/Advanced 
Technology  keyboard  mapping  terminals  or  terminal  simulation  programs  for 
communication  with  DCPS.  This  permits  application-defined  formatted  screens  to  be 
displayed  with  protected  static  text  and  unprotected  fields  for  data  entry.  The  payroll 
offices  are  structured  in  accordance  with  DFAS  standard  staffing  policy  and  conduct 
business  using  standard  operating  and  support  procedures.  They  operate  on  a  24-hour 
basis  to  provide  payroll  service  to  customers  located  in  various  time  zones  and  are 
responsible  for  the  full  range  of  pay  processing  functions  and  services.  As  circumstances 
dictate,  the  offices  serve  as  back-up  operations  sites  for  each  other  when  contingency 
procedures  must  be  invoked. 

DoD  Instruction  8500.2,  “Information  Assurance  Implementation,”  February  6,  2003 
(DoDI  8500.2),  outlines  specific  control  requirements  that  DoD  systems  should  achieve 
based  on  their  designated  Mission  Assurance  Category  (MAC).  According  to  the  current 
DCPS  System  Security  Authorization  Agreement  (SSAAs)  as  of  June  30,  2005,  the  MAC 
level  for  the  DCPS  application  is  “MAC  III”  and  its  supporting  enclave  at  DISA- 
Mechanicsburg  is  “MAC  II”. 
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DCPS  Data  Flow 


Figure  1  below  depicts  the  DCPS  data  flow  as  of  April  2005: 

Figure  1 

Error!  Not  a  valid  link. 


Overview  of  System  Interfaces 

DCPS  is  a  combination  of  on-line  and  batch  programs  that  support  the  requirements  of  a 
bi-weekly,  and  in  the  case  of  the  President,  monthly  payroll,  for  over  762,000  civilian 
employees  in  the  Federal  government  based  on  data  feeds  from  numerous  personnel, 
accounting,  and  time  and  attendance  systems.  Transactions  to  update  employee  data, 
adjust  leave  balances  and  payments,  and  report  time  and  attendance  may  be  input  daily  to 
spread  the  online  workload  and  to  obtain  labor  data.  However,  the  focal  point  of  the 
system  is  the  bi-weekly  process.  Non  bi-weekly  process  functions  occur  monthly, 
quarterly,  annually,  or  as  required,  and  are  in  support  of  or  a  result  of,  multiple  bi-weekly 
pay  cycles.  DCPS  supports  a  standard  personnel  interface,  decentralized  time  and 
attendance  reporting,  and  the  CSR  structure. 

DCPS  accepts  input  from  three  primary  areas:  CSRs,  timekeepers,  and  personnel  offices. 
DCPS  receives  or  creates  approximately  140  interface  files  that,  among  other  functions: 

•  update  personnel  information, 

•  upload  time  and  attendance  data, 

•  download  information  for  checks  to  be  printed, 

•  report  accounting  information  to  Treasury, 

•  reconcile  enrollment  information  with  health  care  providers,  and 

•  download  general  accounting  infonnation  to  DoD  agencies. 

Automatic  electronic  file  transfer  directly  to  and  from  the  host  mainframe  computer  is 
preferred  for  input  and  output  file  interfaces.  Output  files  are  automatically  transmitted 
to  sites  and  activities  using  common  file  transfer  protocols,  via  communication  lines  of 
files  written  to  magnetic  tape  at  the  host  (per  data  in  File  Transfer  Tables).  CSRs  must 
provide  File  Transfer  Table  data  to  TSOPE  for  table  updates.  For  files  not  automatically 
transferred,  it  is  the  activity’s  responsibility  to  access  the  host  computer  to  retrieve 
(“pull”)  their  output  file(s)  from  the  host.  It  is  the  responsibility  of  the  activity  creating 
an  input  interface  file  for  DCPS  to  deliver  it,  by  whatever  means,  to  the  payroll  office  or 
the  processing  center  supporting  the  payroll  office.  A  mutually  agreeable  schedule 
between  the  payroll  activity  and  the  submitting  activity  must  be  established  to  ensure 
timely  receipt  of  data  to  support  DCPS  payroll  processing.  TSOPE  is  responsible  for 
executing  and  monitoring  the  interface  processing  as  well  as  resolving  interfacing 
processing  errors  or  problems. 

B.  Control  Environment 


DCPS  Management  Oversight 
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The  DFAS  M&CPS  Business  Line  (under  the  cognizance  of  the  DFAS  Director)  provides 
high-level  management  control  and  coordination  within  DoD  and  DCPS  external 
customers.  The  Civilian  Pay  Services  Product  Line  (within  the  M&CPS)  has  overall 
daily  responsibility  for  the  DCPS  system.  The  DFAS  Information  and  Technology 
Directorate  is  responsible  for  reviewing,  approving  the  overall  DCPS  security  policy  and 
its  certification  and  accreditation  plan,  and  granting  DCPS  authority  to  operate.  The 
TSOPE,  a  unit  of  DFAS,  provides  DCPS  software  engineering,  production  support,  and 
customer  service.  The  TSOPE  reports  to  the  Civilian  Pay  Services  Product  Line.  DCPS 
is  maintained  and  executed  on  DISA  mainframe  platforms  at  DECC  MECH.  DECC 
MECH  is  part  of  the  Center  for  Computing  Services  within  the  Global  Information  Grid 
Combat  Support  Directorate,  which  is  a  Strategic  Business  Unit  within  DISA.  DISA  and 
DFAS  are  Defense  Agencies  that  report  to  the  Office  of  the  Secretary  of  Defense.  DISA 
support  services  provided  to  DCPS  are  documented  in  a  signed  service  level  agreement 
between  DISA  and  DFAS.  The  service  level  agreement  is  reviewed  and  updated  by  both 
agencies  on  an  annual  basis.  Both  DFAS  and  DISA  have  documented  policies  and 
procedures  for  their  respective  functions. 

Personnel  Policies  and  Procedures 

DFAS  Payroll  Offices  and  TSOPE 

Payroll  office  employees  and  contractors  are  required  to  review  applicable  administrative 
orders,  policies,  and  procedures  with  the  Human  Resource  Office  and  must  complete 
appropriate  forms  to  gain  access  to  DFAS  systems.  New  employees  must  meet  with  the 
Information  Security  (IS)  Manager.  The  IS  Manager  is  responsible  for:  (1)  providing 
basic  systems  security  awareness  training,  (2)  securing  civilians’  and  contractors’ 
signatures  on  an  Automated  Data  Processing  Security  Awareness  disclosure,  (3) 
identifying  to  the  employee  who  their  Terminal  Area  Security  Officer  (TASO)  is  and 
what  the  TASO  responsibilities  are,  and  (4)  notifying  appropriate  personnel  to  provide 
access  or  to  immediately  terminate  employee  and/or  contractor  access  to  DFAS 
automated  information  system  resources  when  an  employee  and/or  contractor  are 
processing-in  or  processing-out.  The  payroll  offices  and  TSOPE  facilities  do  not  require 
any  specific  level  of  prior  security  clearance  before  a  candidate  can  become  an  employee. 

DECC  MECH 

The  security  manager  is  responsible  for  processing  and  vetting  new  employees  and 
contractors  who  are  given  access  to  DISA  facilities  in  Mechanicsburg.  All  contractors 
and  employees  are  required,  at  a  minimum,  to  have  a  secret  clearance  and  a  positive 
National  Agency  Check  for  employees,  the  security  manager  coordinates  with  the 
personnel  office  and  for  contractors,  the  security  manager  coordinates  with  the 
contracting  officer.  The  contracting  officer  is  responsible  for  confirming  that  all 
contractors  are  assigned  to  a  valid  contract,  and  have  been  approved  to  operate  at  DECC 
MECH. 

All  new  employees  are  required  to  sign  DISA  Form  3 12,  ’’Classified  Information 
Nondisclosure  Agreement,”  which  serves  as  a  nondisclosure  agreement  for  sensitive  and 
classified  information.  When  employees  are  terminated,  DISA  requires  them  to  sign  the 
same  Form  3 12  to  confirm  their  understanding  of  the  requirements  put  upon  them.  For 
new  employees  and  contractors  to  gain  access  to  DISA  systems,  they  are  required  to 
complete  DD  Form  2875,  “System  Authorization  Access  Request.”  The  security 
manager  is  responsible  for  vetting  these  fonns  and  confirming  that  the  person  requesting 
access  has  the  proper  clearance  for  the  level  of  access  requested.  For  contractors,  the 
security  manager  confirms  the  length  of  the  contract  and  determines  when  system 
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accounts  should  expire.  All  new  employees  and  contractors  must  complete  security 
awareness  training. 

C.  Monitoring 


Management  and  supervisory  personnel  at  DFAS  and  DISA  monitor  the  performance 
quality  and  internal  control  environment  as  a  normal  part  of  their  activities.  DFAS  and 
DISA  have  implemented  a  number  of  management,  financial,  and  operational  reports  that 
help  monitor  the  performance  of  payroll  processing,  as  well  as  the  DCPS  system  itself. 
These  reports  are  reviewed  periodically  and  action  is  taken  as  necessary.  All  procedural 
problems  and  exceptions  to  nonnal  and  scheduled  processing  are  logged,  reported,  and 
resolved  in  a  timely  manner,  with  remedial  action  taken  as  necessary. 

In  addition,  several  organizations  within  DoD  perform  monitoring  activities  associated 
with  DCPS-related  internal  controls.  These  functions  include: 

DISA  Office  of  the  Inspector  General  and  Field  Security  Office 

DISA  has  its  own  Office  of  Inspector  General  (OIG),  which  is  an  independent  office 
within  DISA  that  conducts  internal  audits,  inspections,  and  investigations.  The  DISA- 
related  components  that  support  DCPS  are  part  of  the  DISA  OIG  audit  universe  and  are 
subject  to  audits,  inspections,  and  investigations  conducted  by  this  office. 

In  addition,  DISA  has  a  Field  Security  Operations  (FSO)  unit  that  performs  periodic 
System  Readiness  Reviews  of  DISA  systems  to  determine  whether  those  systems  are  in 
compliance  with  the  DISA  documented  Standard  Technical  Implementation  Guides 
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(STIGs).  The  DCPS  system  components  that  are  maintained  by  DISA  are  subject  to 
these  FSO  reviews.  The  FSO  is  independent  of  the  DECC  MECH  management  structure 
and  does  not  maintain  or  configure  DCPS  systems. 

Certification  and  Accreditation 

DoD  Instruction  5200.40,  “Department  of  Defense  Information  Technology  Security 
Certification  and  Accreditation  Process  (DITSCAP),”  December  30,  1997,  establishes  a 
standard  Department-wide  process,  set  of  activities,  general  tasks,  and  management 
structure  to  certify  and  accredit  information  systems  that  will  maintain  the  information 
assurance  and  security  posture  of  the  defense  information  infrastructure  throughout  the 
life  cycle  of  each  system.  The  certification  process  is  a  comprehensive  evaluation  of  the 
technical  and  non-technical  security  features  of  an  information  system  and  other 
safeguards  to  establish  the  extent  to  which  a  particular  design  and  implementation  meets 
specified  security  requirements  and  covers  physical,  personnel,  administrative, 
information,  information  systems,  and  communications  security.  The  accreditation 
process  is  a  formal  declaration  by  the  designated  approving  authority  that  an  infonnation 
system  is  approved  to  operate  in  a  particular  security  mode  using  a  prescribed  set  of 
safeguards  at  an  acceptable  level  of  risk. 

DCPS  is  subject  to  the  requirements  of  DITSCAP  and  must  meet  all  of  the  DITSCAP 
certification  and  accreditation  requirements  throughout  its  life  cycle.  As  part  of  the 
DCPS  DITSCAP  process,  separate  SSAAs  have  been  prepared  for  the  DCPS  application 
itself  and  for  the  system  enclave  within  DISA  that  supports  the  application.  Each  SSAA 
is  a  living  document  that  represents  an  agreement  between  the  designated  approving 
authority,  certifying  authority,  user  representative,  and  program  manager.  Among  other 
items,  the  DCPS  SSAA  documents  DCPS’  mission  description  and  system  identification, 
environment  description,  system  architecture  description,  system  class,  system  security 
requirements,  organizations  and  resources,  and  DITSCAP  plan.  On  a  periodic  basis,  the 
system  security  officer  must  verify  and  validate  DCPS’  compliance  with  the  infonnation 
in  the  SSAA.  These  verification  and  validation  procedures  include,  among  other  steps, 
vulnerability  evaluations,  security  testing  and  evaluation,  penetration  testing,  and  risk 
management  reviews.  The  DCPS  application  SSAA,  which  was  issued  in  May  2002  and 
valid  for  three  years,  is  currently  being  modified  as  part  of  their  DITSCAP  recertification 
and  reaccredidation  process  that  is  expected  to  be  completed  in  July  2005.  The  DECC 
MECH  enclave  SSAA,  which  was  issued  in  October  2003  is  valid  for  three  years  and  is 
the  same  SSAA  that  was  in  place  for  the  DCPS  audit  report  issued  in  October  2004. 

DoD  Office  of  Inspector  General  (DoD  OIG) 

The  DoD  OIG  was  established  under  the  Inspector  General  Act  of  1978  by  Congress  to 
conduct  and  supervise  audits  and  investigations  related  to  the  programs  and  operations  of 
the  DoD.  The  DoD  OIG  reports  directly  to  the  Secretary  of  Defense  and  is  independent 
of  DFAS  and  DISA.  DCPS,  as  well  as  the  payroll  processes  it  supports,  is  part  of  the 
DoD  OIG  audit  universe  and  is  subject  to  financial,  operational,  and  information 
technology  audits,  reviews,  and  special  assessment  projects. 

D.  Risk  Assessment 


The  DITSCAP  process,  discussed  in  subsection  C  above,  includes  several  activities  that 
document  and  assess  risks  associated  with  DCPS.  The  DCPS  application  and  enclave 
SSAAs,  which  are  a  product  of  the  DITSCAP  process,  also  document  threats  to  DCPS 
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and  its  supporting  technical  environment.  The  SSAAs  also  contain  Residual  Risk 
Assessments  that  document  vulnerabilities  noted  during  DCPS  tests  and  analyses.  The 
information  contained  in  the  SSAAs  is  updated  on  a  periodic  basis.  Personnel  from 
DFAS  TSOPE  and  DECC  MECH  participate  in  these  risk  assessment  activities. 

E.  Information  and  Communication 


DCPS  is  the  information  system  used  to  process  civilian  payroll  for  DoD  and  its  payroll 
customers,  such  as  EOP,  DOE  and  HHS.  The  processing  of  payroll  involves  over  140 
data  files  that  interface  with  DCPS.  These  interfaces  are  linked  to  other  DoD  financial 
systems  as  well  as  external  systems.  The  majority  of  the  interfaces  are  automated.  All 
automated  interfaces  must  conform  to  documented  interface  specifications  developed  by 
the  TSOPE,  who  is  responsible  for  executing  and  monitoring  the  automated  interfaces. 

The  support  relationship  between  DFAS  and  DECC  MECH  is  documented  through  a 
service  level  agreement  that  is  reviewed  and  updated  annually.  The  service  level 
agreement  outlines  various  DFAS  and  DECC  MECH  points  of  contact  and  liaisons  that 
should  be  used  when  DCPS  issues  arise.  DECC  MECH  also  assigned  a  customer 
relationship  manager  to  work  with  DFAS  TSOPE  to  resolve  any  DCPS  processing 
problems  or  concerns. 

Within  DFAS,  the  TSOPE  and  payroll  offices  have  a  weekly  meeting  between  the 
directors  and  managers  of  both  organizations  to  discuss  DCPS  processing  issues.  There 
is  also  a  Configuration  Control  Board  (CCB),  comprised  of  TSOPE  and  payroll  office 
personnel,  to  review  and  approve  functional  and  systemic  changes  to  DCPS.  The  payroll 
offices  also  have  a  help  desk  function  to  identify  and  track  user  issues  and  problems  with 
DCPS  and  communicate  those  issues  and  problems  to  the  TSOPE  for  resolution. 

F.  Control  Activities 


The  DCPS  control  objectives  and  related  control  activities  are  included  in  Section  III  of 
this  report,  “Information  Provided  by  the  Service  Auditor,”  to  eliminate  the  redundancy 
that  would  result  from  listing  them  in  this  section  and  repeating  them  in  Section  III. 
Although  the  control  objectives  and  related  controls  are  included  in  Section  III,  they  are, 
nevertheless,  an  integral  part  of  the  description  of  controls. 

G.  User  Organization  Control  Considerations 


The  control  activities  at  DFAS  and  DISA  related  to  DCPS  were  designed  with  the 
assumption  that  certain  controls  would  be  placed  in  operation  at  user  organizations.  This 
section  describes  some  of  the  controls  that  should  be  in  operation  at  user  organizations  to 
complement  the  controls  at  DFAS  and  DISA. 

User  organizations  should  have  policies  and  procedures  in  place  to  ensure  that: 

•  The  Information  Systems  Security  Officer  (ISSO)  located  at  the  payroll 
offices  is  notified  of  all  terminated  employees  that  are  DCPS  users. 
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•  The  local  Human  Resource  Office  is  notified  of  all  terminated  employees,  so 
that  such  employees  are  removed  from  the  Master  Employee  Record  in  a 
timely  manner. 

•  All  time  entered  by  timekeepers  is  approved  and  authorized  by  appropriate 
user  organization  management. 

•  All  Master  Employee  Records  created  represent  valid  employees. 

•  All  changes  to  the  Master  Employee  Record  are  approved  by  appropriate  user 
organization  personnel  prior  to  payroll  processing. 

•  Segregation  of  duties  exists  between  those  at  the  user  organization  who  enter 
time  and  those  who  enter  or  change  Master  Employee  Records. 

•  If  a  pseudo  Social  Security  Number  (SSN)  is  created,  the  pseudo  SSN  has 
been  authorized  by  appropriate  user  organization  personnel  and,  if  necessary, 
is  accurately  tied  to  a  primary  and  valid  SSN. 

•  User  organization  managers  review  the  “Control  of  Hours”  and  other  payroll- 
related  reports  for  appropriateness  and  accuracy. 

•  All  invalid  time  entry  interface  feeds  are  reviewed  and  processed  by 
appropriate  user  organization  personnel  in  a  controlled  manner. 

•  All  invalid  personnel  record  interface  feeds  are  resolved  in  the  interface 
system  by  user  organization  personnel  with  appropriate  approval  by  user 
organization  management. 
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Section  III:  Control  Objectives,  Control  Activities,  and  Tests 

of  Operating  Effectiveness 
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III.  Control  Objectives,  Control  Activities,  and  Tests  of 
Operating  Effectiveness 

A.  Scope  Limitations 


The  control  objectives  documented  in  this  section  were  specified  by  the  DoD  OIG.  As 
described  in  the  prior  section  (Section  II),  DCPS  interfaces  with  many  systems.  The 
controls  described  and  tested  within  this  section  of  the  report  are  limited  to  those 
computer  systems,  operations,  and  processes  directly  related  to  DCPS  itself.  The  controls 
related  to  the  source  and  destination  systems  associated  with  the  DCPS  interfaces  are 
specifically  excluded  from  this  review.  We  did  not  perform  procedures  to  evaluate  the 
effectiveness  of  the  input,  processing,  and  output  controls  within  these  interface  systems. 
However,  we  did  perform  procedures  to  evaluate  DCPS  interface  input  and  output 
controls.  In  addition,  we  did  not  perfonn  any  procedures  to  evaluate  the  integrity  and 
accuracy  of  the  data  contained  in  DCPS. 
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B.  Control  Objectives,  Control  Activities,  and  Tests  of  Operating  Effectiveness 
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IV.  Supplemental  Information  Provided  by  DFAS  and  DISA 


Introduction 

This  section  has  been  prepared  by  DFAS  and  DISA  and  is  included  to  provide  user 
organizations  with  information  DFAS  and  DISA  believes  will  be  of  interest  to  such 
organizations;  however,  is  not  covered  within  the  scope  or  control  objectives  established 
for  the  SAS  70  review.  Specifically  included  is  a  summary  of  procedures  that  DFAS  and 
DISA  have  put  into  place  to  enable  recovery  from  a  disaster  affecting  either  DFAS 
TSOPE  or  DECC  MECH. 

This  information  has  not  been  subjected  to  the  procedures  applied  to  the 
examination  of  the  description  of  controls  presented  in  Sections  II  and  III  of  this 
report,  and  accordingly,  the  DoD  OIG  expresses  no  opinion  regarding  the 
completeness  and  accuracy  of  this  information. 

TSOPE  Specific  Business  Continuity  Plans 

The  DCPS  production  support  Continuity  of  Operations  Plan  (COOP)  provides  an  action 
plan  to  be  implemented  when  there  is  a  disaster  or  impending  threat  that  would  render 
DCPS  production  support  inoperable  (e.g.,  hurricane,  damage  to  TSOPE  facilities  due  to 
fire,  etc.).  This  plan  is  evaluated  and  updated,  accordingly,  on  an  annual  basis.  If  an 
impending  threat  or  event  occurs,  production  support  control  for  the  DCPS  production 
support  is  transferred  to  an  alternate-processing  site,  currently  defined  to  be  the  Defense 
Ammunition  Center  Huntsville,  AL.  Contained  in  the  detailed  COOP  are  names  of 
DCPS  staff  members  who  will  serve  as  a  pool  of  resources  to  be  mobilized  to  execute  the 
plan  and  a  list  of  documentation  and  supplies  that  are  necessary  to  support  the  mobilized 
team. 

Team  members  are  comprised  of  DCPS  development  staff  members  across  many 
divisions  and  branches.  TSOPE  designates  two  members  of  the  management  team  to  be 
responsible  for  COOP  execution.  One  is  mobilized  with  the  team  and  is  responsible  for 
team  activities  and  communication  with  TSOPE  while  deployed  to  the  COOP  recovery 
site.  The  other  serves  as  the  team’s  liaison  at  TSOPE  and  is  responsible  to  relay  current 
status,  current  area  weather  conditions,  and  other  pertinent  information  to  the  mobilized 
team.  The  team  is  further  divided  into  two  teams,  with  each  covering  a  12-hour  shift. 
Team  leaders  are  appointed  for  the  respective  shift  teams.  Each  step  included  in  planning 
and  executing  the  COOP  is  coordinated  with  full  cooperation  and  involvement  by  the 
DCPS  project  management  staff.  Although  this  plan  works  for  any  type  of  disaster  where 
production  support  becomes  inoperable,  it  has  been  executed  several  times  in  the  past  few 
years  during  impending  disastrous  weather  conditions,  such  as  hurricanes. 

DECC  MECH  Business  Continuity  Plans 

To  accommodate  a  major  disaster  at  any  major  DISA  processing  center,  DISA  has 
established  the  DISA  Continuity  and  Test  Facility  at  Slidell,  LA.  This  facility  is 
equipped  with  computational,  Direct  Access  Storage  Devices,  and  telecommunications 
resources  sized  to  provide  a  fully  functional  host  site  with  the  capacity  to  support  a  major 
disaster  at  any  DISA  processing  center.  The  COOP  support  agreement  between  DFAS, 
as  the  customer,  and  DISA,  as  the  provider  of  processing  systems  and  communications 
services,  provides  for  restoring  host  site  processing  in  the  event  of  a  major  disaster  and 
the  timely  resolution  of  problems  during  other  disruptions  that  adversely  affect  DCPS 
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processing.  The  plan,  as  it  relates  to  DCPS,  details  data  restoration  procedures  for  the 
MZF  OS/390  operating  system,  the  DCPS  Integrated  Database  Management  System,  and 
related  mid-tier  servers  and  communication  devices.  Backup  tapes  containing  the 
incremental  daily  and  the  complete  weekly  backups  are  rotated  offsite  to  the  Processing 
Element  Chambersburg  for  storage  on  a  predetermined  schedule. 

The  Crisis  Management  Team  at  DECC  MECH  is  responsible  for  declaring  a  disaster  has 
occurred  and  initiating  the  Business  Continuity  Plan.  The  Crisis  Management  Team  will 
then  activate  the  following  response  teams:  Communications  Team,  Recovery 
Coordination  Team,  Site  Recovery  Team,  and  the  Crisis  Support  Team.  Each  team  has  a 
specific  set  of  responsibilities  defined  in  the  Business  Continuity  Plan.  The  contact 
information  for  each  individual  on  each  team  is  also  included  in  the  Business  Continuity 
Plan.  The  plan  is  required  to  be  tested  on  an  annual  basis.  TSOPE  personnel  participate 
in  the  yearly  COOP  test  to  ensure  that  the  process  works  correctly  and  documentation  is 
updated  appropriately. 
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Acronyms  and  Abbreviations 


ACF2 

Access  Control  Facility  2 

ACL 

Access  Control  List 

AIS 

Automated  Information  System 

CAC 

Common  Access  Card 

CCB 

Configuration  Control  Board 

CM 

Configuration  Management 

CMIS 

Change  Management  Information  System 

COOP 

Continuity  of  Operations  Plan 

COTS 

Commercial  off-the  shelf 

CSR 

Customer  Service  Representatives 

DAC 

Discretionary  Access  Control 

DAPS 

Defense  Automated  Printing  Service 

DCPS 

Defense  Civilian  Pay  System 

DECC 

Defense  Enterprise  Computing  Center 

DECC  MECH 

Defense  Enterprise  Computing  Center  Mechanicsburg 

DFAS 

Defense  Finance  and  Accounting  Service 

DISA 

Defense  Information  Systems  Agency 

DITSCAP 

Department  of  Defense  Information  Technology  Security 
Certification  and  Accreditation  Process 

DMI 

Desktop  Management  Initiative 

DMZ 

Demilitarized  Zones 

DoD 

Department  of  Defense 

DoDD 

Department  of  Defense  Directive 

DoDI 

Department  of  Defense  Instruction 

DOD  OIG 

Department  of  Defense  Office  of  Inspector  General 

DOE 

Department  of  Energy 

DPL 

Director’s  Policy  Letter 

EOP 

Executive  Office  of  the  President 

FSO 

Field  Security  Operations 

GOTS 

Government  off-the  shelf 

HHS 

Department  of  Health  and  Human  Service 

IAVM 

Infonnation  Assurance  Vulnerability  Management 

IA 

Infonnation  Assurance 

ID 

Identification 

IP 

Internet  Protocol 

IDMS 

Integrated  Database  Management  System 

IDS 

Intrusion  Detection  System 

ISO 

Infonnation  Security  Officer 
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ISS 

Information  Security  Scanner 

ISSO 

Infonnation  Systems  Security  Officer 

IT 

Infonnation  Technology 

LAN 

Local  Area  Network 

LPAR 

Logical  Partition 

M&CPS 

Military  &  Civilian  Pay  Services 

MAC 

Mission  Assurance  Category 

MOA 

Memorandum  of  Agreement 

NIPRNET 

Non-Classificd  Internet  Protocol  Router  Network 

NIST 

National  Institute  of  Standards  and  Technology 

NS  A 

National  Security  Agency 

OIG 

Office  of  the  Inspector  General 

OLQ 

Online  Queries 

OS 

Operating  System 

SA 

System  Administrator 

SAAR 

Systems  Access  Authorization  Request 

SCR 

System  Change  Request 

SDLC 

System  Development  Life  Cycle 

SMC 

System  Management  Center 

SMO 

System  Management  Office 

SNA 

Systems  Network  Architecture 

SOP 

Standard  Operating  Procedures 

SRR 

Security  Readiness  Review 

SRRDB 

Security  Readiness  Review  Database 

SSAA 

System  Security  Authorization  Agreement 

SSN 

Social  Security  Number 

sso 

System  Support  Office 

STIG 

Security  Technical  Implementation  Guide 

TASO 

Terminal  Area  Security  Officer 

TSO 

Technology  Services  Organization 

TSOPE 

Technology  Services  Engineering  Organization  in  Pensacola 

TSP 

Thrift  Savings  Plan 

VMS 

Vulnerability  Management  System 

VPN 

Virtual  Private  Network 
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